1. Structure
1.1. Intro
1.1.1. not a new solutions but evidence that it's time has come
1.1.1.1. resurgence of interest, like virtualization
1.1.1.2. Whitelisting, the concept of which dates back to the mainframe days of locked-down and controlled applications, lets only approved and authorized applications run on user machines.
1.1.1.3. Rather than track and quarantine harmful bits, whitelisting involves barring all but approved executables from running on a given machine.
1.1.2. The idea is simple – signatures of known bad stuff is a blacklist, signatures of known good stuff is a whitelist. Blacklisting has been the preferred method for AV over the last decade. Blacklisting has the benefit of near-zero false positives – something customers expect. Blacklisting also keeps the customers coming back – new malware means new signatures – perfect for recurring revenue models for vendor’s balance sheet.
1.1.3. John T quote of 2008
1.1.3.1. darkreading.com > Security > Management > ShowArticle ? ...
1.1.3.2. The number of exposed records has tripled in the last year,” Thompson said. He called for the creation of a federal law that requires companies to disclose details on their security breaches in a timely fashion. “If ever there was a cry for change in public policy, it’s now." The Symantec research also indicates that, for the first time, there are more malicious applications (65 percent) being spread across the Web than legitimate applications. “I don’t usually make predictions, but if the growth of malware continues at this pace, I predict that technologies such as whitelisting will become more critical."
1.1.4. conventional solutions reached limits, like firewalls
1.1.4.1. AV is the definitive blacklisting solution
1.1.4.2. but the solution reached an inflection point
1.1.4.2.1. who said that?
1.1.4.3. point of diminishing returns
1.1.5. BL always be present
1.1.6. essentially days are numbered as front line defense
1.1.7. erosion of trust
1.2. Blacklisting limitations
1.2.1. why is malware growing?
1.2.1.1. from mass distribution of a small number of threats to micro distribution of millions of distinct threats
1.2.1.1.1. facilitated by malware server generating new strains every few mins
1.2.1.1.2. We now know of over 1.8M distinct malware strains We’re collecting 10,000s of new strains per day
1.2.1.1.3. Stealthiness is increasingly a dominant design goal 70-80% of malware samples are packed, in many cases through multiple layers of packing
1.2.1.1.4. 1m altogther, 2/3 created in 2008
1.2.1.2. better method for capturing and recording
1.2.1.2.1. Today, new malware can be automatically collected, without human intervention. The slow trickle of malware turned into a flood as honeypot technology emerged. Sensor grids can obtain new malware samples with efficiency - they automatically ‘drive by’ (aka spidering) malicious websites to get infections and leave open ports on the ‘Net so automated scanners will exploit them. In parallel to the automated collection efforts, cybercrime has risen to epic levels.
1.2.1.3. more money behind malware development
1.2.1.4. entry barrier falling
1.2.1.4.1. Finally, the barrier to entry has dropped for the cyber criminal. Cyber weapon toolkits have become commonly available. Anti-detection technology is standard fare. New variants of a malware program can be auto-generated. A safe bet is to expect thousands of new malware to hit the Internet per day.
1.2.1.4.2. malware toolkits
1.2.1.4.3. anti-detection technology available
1.2.1.4.4. auto-generate and release variants
1.2.1.5. figures
1.2.1.5.1. avertlabs.com > Research > Blog > Index.php > 2008 > 07 > 01 > The-end-of-exponential-malware-growth
1.2.2. the signature scan method
1.2.2.1. Scanning
1.2.2.1.1. basic modes
1.2.2.1.2. Perfect for detecting known malware, known insecure software, known intellectual property.
1.2.2.1.3. They are the cash cow of the anti-virus companies.
1.2.2.2. pattern-matching approach not adapted to changes in malware
1.2.2.2.1. A few years ago, a single classic signature could protect 10,000s of users Today a single classic signature typically protects < 20 users
1.2.2.2.2. matching every malware signature against every file is archaic, not feasible
1.2.2.2.3. what fraction of malware goes undetected?
1.2.2.2.4. fingerprinting model needs to be augmented or replaced
1.2.2.3. terms
1.2.2.3.1. scan
1.2.2.3.2. fingerprinting
1.2.2.3.3. pattern-matching
1.2.2.4. Cost
1.2.2.4.1. Even for systems with enough resources to shoulder scanning overhead, as well as the connectivity and availability to receive frequent anti-virus signature updates, these security products are reactive in nature and lack potency regarding new or tightly targeted threats not yet included in the anti-virus vendors’ signature databases.
1.2.2.4.2. there’s considerable system overhead associated with scanning, and the frequent signature updates required to keep anti-virus applications in good working order can be difficult to maintain.
1.3. Need new or alternate strategy
1.3.1. Application whitelisting offers organizations an anti-malware option that can be more flexible than total lockdown yet more comprehensive than the blacklisting approach embodied by anti-virus.
1.3.2. Symantec’s top security architects believe a hybrid whitelisting and reputation-based antivirus approach will become the only effective means of securing enterprise & consumer endpoints
1.3.3. WL
1.3.3.1. Tracking Applications Only Listed Applications Run Listed Applications are ‘Good’
1.3.3.1.1. not good but not known to be bad
1.3.3.1.2. define good
1.3.3.2. No zero-day threats No chronic signature updating No paying for chronic signature updating
1.3.3.2.1. does not eliminate zero day threat !
1.3.3.3. Blocks malware and unlicensed/ unauthorized software from installing and executing Eliminates reactive security patching Eliminates unplanned or unmanaged configuration drift
1.4. WL management
1.4.1. is it easier to manager DB of good apps as opposed to 1m malware and growing?
1.4.2. Compiling the initial whitelist requires detailed reviews of users' tasks and the applications they need to complete them. The growing complexity of business processes and applications makes maintaining the list a lot of work.
1.4.3. To make application whitelists a success in your organization, you need not only senior management buy-in, but also a way of letting users quickly and easily request permission to run a new application.
1.4.4. A more draconian step would be to allow systems to only install software that is digitally signed and downloaded from a trusted repository.
1.4.5. At this point, administrators also can add other applications to their whitelist policies and, in most cases, determine separate allowed application policies for different sets of users based on group information in Active Directory. Certain application whitelisting products, such as those from Bit9 and CA, also offer administrators guidance in deciding which applications to include in their whitelists. Both vendors maintain databases of scanned applications, along with trust ratings based on the vendors’ analysis.
1.4.6. And displaying a pop-up that asks you to decide whether an unknown app is okay to run ensures that you'll eventually make the wrong call and break your software or even your system. Most antivirus companies rightly make every effort to minimize the number of alerts that ask us to make a decision; an overreliance on whitelists could roll back those improvements.
1.4.7. how to handle the non-standard stuff
1.4.7.1. Recently Released Applications Proprietary Applications Miscellaneous dlls, drivers, etc.
1.5. Limits
1.5.1. not safe computing
1.5.1.1. Whitelists, however, cannot fix an allowed program that has a vulnerability. Even in a whitelist environment, a typical buffer-overflow attack, for example, can still run malicious executables, because the system thinks it's the whitelisted, but vulnerable program running the code.
1.5.2. granularity
1.5.2.1. selective user install and run
1.5.2.2. A simple "Yes" or "No" decision either allows the program to run or not, whereas it may be appropriate for some users to use a certain program, but only access certain features.
1.5.3. Changing the approach by antivirus software of fighting viruses to whitelisting would involve antivirus software having a list of only those programs which are known to not contain viruses or malware. The software would only allow programs to run on your computer that are known to be free of viruses and malware.
1.5.3.1. no no no
1.5.4. technical issues
1.5.4.1. fasthorizon.blogspot.com > 2008 > 06 > Whitelisting-is-next-snake-oil
1.5.4.2. is this snake oil?Whitelists are based upon files on disk. A whitelist, in current industry terms, means a list of the MD5 sums for files ON DISK. Please understand that files on disk are not the same as files in memory. And all that matters is memory. When a file is LOADED into memory, it CHANGES. This means on-disk MD5 sums do not map to memory. There are several reasons memory is different: 1) Memory contains much more data than the on disk file 2) Memory contains thread stacks 3) Memory contains allocated heaps 4) Memory contains data downloaded from the Internet 5) Memory contains secondary or tertiary files that were opened and read 6) Memory contains data that is calculated at runtime 7) Memory contains data that is entered by a user All of the above are not represented by the file on disk. So, none of the above are represented by the whitelist MD5 sum. Yet, when the file hash on disk passes for white-listed, the running in-memory file is considered whitelisted by proxy. This is where the whole model breaks down. In memory, there are millions of bytes of information that are calculated at runtime – they are different every time the program is executed, the DLL is loaded, or the EXE is launched. These bytes are part of the process, but unlike the file on disk they change every time the program is executed. Therefore, they cannot be whitelisted or checksummed. This data can change every minute, every second of the program’s lifetime. None of this dynamic data can be hashed with MD5. None of this dynamic data is represented by the bytes on disk. So, none of it can be whitelisted.
1.5.4.3. For malware authors, the whitelist is a boon. It means that a malware author only needs to inject subversive code into another process that is whitelisted. Since the whitelist doesn’t and cannot account for dynamic runtime data, the malware author knows his injected code is invisible to the whitelist. And, since the process is whitelisted on disk, he can be assured his malware code will also be whitelisted by proxy. So, in effect, whitelisting is actually WORSE than blacklisting. In the extreme, the malware may actually inject into the desktop firewall or resident virus scanner directly as a means of obtaining this blanket of trust.
1.5.4.3.1. just see the art at the end
1.6. Strategy
1.6.1. interest from big players
1.6.1.1. What's interesting is that the big guys Google (Green Border Technologies), Microsoft (Winternals Software's Protection Manager, and now Symantec have started paying attention to whitelisting.
1.6.1.2. Patchlink, AppSense, Bit9, SignaCert, CA et al)Patchlink, AppSense, Bit9, SignaCert, CA et al)
1.6.1.3. Patchlink and SecureWave
1.6.1.3.1. If you speak to the management of either Patchlink or SecureWave they'll provide you with a series of reasons why the merger between the two makes sense, in terms of growth goals, customer base, geographical coverage, corporate culture, etc.
1.6.1.4. all have something to say in bit9 ppt
1.6.1.5. gradual introduction
1.6.1.6. how to move to WL while preserving BL revenue base
1.6.1.6.1. AV vendors are now beginning to realise that their time has passed and the majors (Symantec, McAfee and Trend Micro) are looking for ways to join the whitelisting movement without poisoning their AV revenues.
1.6.2. Application whitelisting is a good complement to other anti-virus strategies
1.6.2.1. such as blacklisting, diligent patching and user education
1.6.2.2. and the PCI DSS (Payment Card Industry Data Security Standard) specifically mandates the use of anti-virus software on machines through which credit card data passes.
1.6.2.3. Bit9 and Kaperskty partnership
1.6.2.3.1. In the face of that sobering reality, Kaspersky this summer will release its first consumer antivirus products that bring in whitelists. It will use lists from Bit9, a whitelisting company that maintains a 6.3 billion-strong list of known good applications. The new Kaspersky applications won't automatically block programs not on the Bit9 list, but instead will focus scanning resources on those programs that Bit9 doesn't recognize. Theoretically, that could allow for more careful scrutiny of unknown files with less risk of false alerts.
1.6.2.4. With AV, every year or so a new client security technology comes along and the death of AV is prophesised. In the end, users either decide that the new technology is not as important or good as the start-ups make out and ignore it, or it turns out that AV and the new technology have their benefits and the result is the new technology is integrated into the AV clients.
1.6.2.4.1. deja vu
1.6.2.4.2. actually abosorbed under AV name
1.6.3. Cloud
1.6.3.1. probably unmanageable for the desktop
1.6.3.2. ping the cloud instead
1.6.3.2.1. trend micro
1.6.3.2.2. this may be the new model even w/o WLs